The Heartbleed Bug Explained In One Cartoon

Published 10:24 am, Friday, April 11, 2014

Just days ago one of the largest Internet security flaws in recent history was discovered: the Heartbleed bug.

While you've probably read several lengthy articles and FAQs detailing how the bug works, this cartoon is probably the simplest explanation yet.

The Heartbleed bug tricks a server into spilling out extra information from its memory. A server's memory often includes sensitive personal information, such as your passwords, credit card numbers, and other data you wouldn't want anyone else to see.

This information is usually encrypted, which means its translated to an indecipherable code when it's transferred between servers, but Heartbleed can decode this encryption and store the codes used to protect your data. That's because Heartbleed takes advantage of a vulnerability in OpenSSL, a popular encryption standard used to power a giant chunk of the Web.

Heartbleed attacks a vulnerability in OpenSSL called Heartbeat, which is a means of calling out to a server to make sure the connection is secure. The Heartbeat message usually contains arbitrary data and a length field denoting how many bytes of data are in the message. The server would then spit that exact message back to the original sender to prove that the connection is secure. The Heartbleed bug involves an issue with the server reading the length field incorrectly, which in turns tricks your server into spitting out more data than it should without realizing it.